A previously undocumented Android spyware tool named “BadBazaar” has been tied to the Chinese defense contractor Xi’an Tian He Defense Technology. Researchers at Lookout discovered this malware being used to target ethnic and religious minorities in China, notably the Uyghur population in Xinjiang. When investigating, the researchers found that this malware was using the same infrastructure as seen in previous campaigns from APT15 in 2020.
Since 2018, APT15 has spoofed at least 111 unique applications to hide their spyware, with categories ranging from dictionary applications to religious companions, battery optimizers, and video players. These applications were largely promoted on communication channels where groups such as the Uyghurs frequented, with no signs of the application on the official Google Play Store. BadBazaar’s data-collecting capabilities include:
- Precise Location
- Listing installed applications
- Contact Collection
- Listing device info
- Listing WiFi info
- Call recording
- Call logs with GPS data
- SMS
- Camera Capture
- File/database exfiltration
- Folder Access
Starting in July 2022, a new variant of the “Moonshine” spyware was identified targeting the Uyghur population, which was previously seen used by this actor against Tibetan groups in 2019. The actor spoofed at least 50 different applications to deploy this malware, with the malware supporting the following capabilities:
- Call recording
- Contact collection
- Retrieval of files
- GPS data
- SMS
- Camera capture
- Microphone recording
- SOCKS proxy
- WeChat data collection
While this malware could not be tied to APT15 or Xi’an Tian He Defense Technology for certain, the researchers noted that this malware was written by a Chinese developer with substantial resources due to the complexity of the tool.
Analyst Notes
This campaign highlights the difficulty of attribution in relation to threat campaigns. While the BadBazaar malware was previously tied to a campaign taking place in the Middle East in 2017, it was later tied to APT15 in 2020, and now Xi’an Tian He Defense Technology in 2022. This is likely due to this specific tool being sold as a service rather than one of the groups developing this malware themselves, which is becoming more and more commonplace to see.
Additionally, while the recent threat campaign involving the new “Moonshine” variant could not be confirmed as tied to any specific group, the behavior matches the recent campaign seen from Xi’an Tian He Defense Technology, suggesting that it may be related. Moreover, as this company is targeting similar groups as APT15 has historically targeted using the same malware as previously seen, these two actors may be related, although this cannot be confirmed for certain.
As this is Android malware, there is not much that can be done to prevent activity such as this from an enterprise standpoint in terms of detection. It is best to limit BYOD device policies in the workplace, provide user education into campaigns such as this, and have strong password and authentication policies to prevent suspicious logons.
https://www.bleepingcomputer.com/news/security/new-badbazaar-android-malware-linked-to-chinese-cyberspies/